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DETAILED ACTION 

1. This Final Office action is in reply to the applicant amendment filed on 15 January 2009. 

2. Claims 1, 2, 5, 19, 20, and 22 have been amended. 

3. Claims 1-30 are currently pending and have been examined. 

4. Applicants' amendment necessitated a new grounds of rejection. 

Response to Amendment 

5. In the previous office action, Claims 1-18 were rejected under 35 U.S.C. §101 because the 
claimed invention is directed to non-statutory subject matter. Since the Applicants' have 
amended Claim 1 to recite statutory subject matter, the rejection is withdrawn, and includes 
dependent Claims 2-18. 

Response to Arguments 

6. Applicant's arguments filed 15 January 2009 have been fully considered but they are not 
persuasive. 

7. Applicant submits that Callahan (U.S. Pub. No. 2003/0229525) does not teach or suggest in 
amended Claim 1: (1J assessing, via server, an impact on the enterprise from a degradation of 
the services from the outside service provider, wherein assessing the impact on the enterprise 
comprises assessing a business impact on the enterprise and assessing a country impact on the 
enterprise [see Remarks page 12, first paragraph], and (2) automatically determining, via the 
server, a criticality of the outside service provider in response to the assessment [see Remarks 
page 12, first paragraph]. 
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8. With regard to argument (1), the Examiner respectfully disagrees. Callahan teaches assessing 
(risk assessment module), via server, an impact (impact value) on the enterprise from a 
degradation (perceivable threats, damage that could occur, insufficient to ensure compliance in 
an area represented by the question) of the services from the outside service provider (Third 
Party Service Provider, the impact is less critical than if account balances, account numbers, and 
transactions were revealed) (see at least paragraphs 0025-0028 and 0060), wherein assessing 
the impact on the enterprise comprises assessing a business impact on the enterprise (risk, 
probability and impact (R, P, I), business organization) (see at least paragraphs 0066-0070 and 
FIG. 20). However, Callahan does not specifically teach and assessing a country impact on the 
enterprise. Callahan in view of Bott teaches assessing a country impact on the enterprise 
(country risk assessment system, volatility risk) (see at least column 7, line 39 through column 8, 
line 22 and Figure 4). 

9. With regard to argument (2), the Examiner respectfully disagrees. Callahan teaches 
automatically determining a criticality of the outside service provider in response to the 
assessment (the impact is less critical than if account balances, account numbers, and 
transactions were revealed, qualitative characterization of the risk, overall risk rating, 
assessment) (see at least paragraphs 0060 and 0069-0071). 



Claim Rejections - 35 USC §103 



10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 
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11. Claims 1-11, 15-25, and 29-30 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Callahan (U.S. Pub. No. 2003/0229525) in view of Bott (U.S. 6,856,973). 

With regard to Claim 1 , Callahan teaches a method and system comprising: 

• identifying, via a user interface, outside service provider information that 
describes the outside service provider (provide a population of all third-party 
providers and risk-rank them) (see at least paragraph 0028). 

• storing the outside service provider information in a database (Assessment 
templates, 612, are also stored in fixed storage) (see at least paragraph 
0043). 

• identifying, via the user interface, resource information that describes 
resources of the enterprise associated with services provided by the outside 
service provider (the type of data shared between the financial services 
company and the provider) (see at least paragraph 0028). 

• storing the resource information in the database (Assessment templates, 
612, are also stored in fixed storage) (see at least paragraph 0043). 

• assessing (risk assessment module), via server, an impact (impact value) on 
the enterprise from a degradation (perceivable threats, damage that could 
occur, insufficient to ensure compliance in an area represented by the 
question) of the services from the outside service provider (Third Party 
Service Provider, the impact is less critical than if account balances, account 
numbers, and transactions were revealed) (see at least paragraphs 0025- 
0028 and 0060), wherein assessing the impact on the enterprise comprises 
assessing a business impact on the enterprise (risk, probability and impact 
(R, P, I), business organization) (see at least paragraphs 0066-0070 and 
FIG. 20). 
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• storing the assessment in the database (Assessment templates, 612, are 
also stored in fixed storage) (see at least paragraph 0043). 

• automatically, via the server, determining a criticality of the outside service 
provider in response to the assessment the impact is less critical than if 
account balances, account numbers, and transactions were revealed, 
(overall risk rating, assessment) (see at least paragraphs 0060 and 0069- 
0071). 

• storing the criticality in the database (Assessment templates, 612, are also 
stored in fixed storage) (see at least paragraph 0043). 

• providing, via the user interface, status data from the database (SQL 
database) (see at least paragraph 0055), wherein the status data comprises 
at least one of a status of: 

o the resource information 

o the assessment (updated to change the status of the 

assessment) (see at least paragraph 0055). 
o the criticality (critical) (see at least paragraph 0060). 

Callahan does not specifically teach assessing a country impact on the enterprise. Bott 
teaches assessing a country impact on the enterprise (Re-exports, are also highly correlated to 
imports so that their impact on the net foreign asset position of a country is less significant, 
country risk assessment system, volatility risk) (see at least column 7, line 39 through column 8, 
line 22 and Figure 4) in analogous art of assessing creditworthiness of a country for the purposes 
of, "[u]nits of government could use their legal empowerment to delay or discontinue transactions" 
(see at least column 6, lines 20-37, column 7, line 39 through column 8, line 22 and Figure 4). 
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It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the volatility risk of that country as taught by Bott with the integrated compliance 
monitoring method of Callahan. One of ordinary skill in the art would have been motivated to do 
so for the benefit of knowing an updated status of a country's ability to maintain a strong 
economic status (Bott, column 8, lines 10-22). 

With regard to Claim 19, Callahan teaches a system, interface, database server, and 
application server (Microsoft's Internet Information Services) (see at least paragraph 0047). 
Claim 19 is further substantially similar to claim 1 and is rejected for the same rationale as set 
forth above in Claim 1. 

With regard to Claims 2 and 20, Callahan does not specifically teach identifying countries 
in which the outside service provider operates and determining a country impact risk associated 
with the countries, wherein the step of automatically determining the criticality is also in response 
to the country impact risk. Bott teaches identifying countries in which the outside service provider 
operates and determining a country impact risk (country risk assessment system, volatility risk) 
associated with the countries, wherein the step of automatically determining the criticality is also 
in response to the country impact risk (drastic action is required, drastic measures) in analogous 
art of assessing creditworthiness of a country for the purposes of, "[u]nits of government could 
use their legal empowerment to delay or discontinue transactions" (see at least column 7, line 39 
through column 8, line 22 and Figure 4). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the volatility risk of that country as taught by Bott with the integrated compliance 
monitoring method of Callahan. One of ordinary skill in the art would have been motivated to do 
so for the benefit of knowing an updated status of a country's ability to maintain a strong 
economic status (Bott, column 8, lines 10-22). 



Application/Control Number: 10/664,283 Page 7 

Art Unit: 3624 

With regard to Claim 3, Callahan does not specifically teach collecting economic 
condition information with respect to the country; storing the economic condition information in the 
database; collecting social condition information with respect to the country; storing the social 
condition information in the database; collecting political condition information with respect to the 
country; add storing the political condition information in the database. Bott teaches collecting 
economic (economic) condition information with respect to the country; storing the economic 
condition information in the database (creating a database of economic scores for the country) 
(see at least column 1 , lines 36-45); collecting social condition (social) information with respect to 
the country; storing the social condition information in the database; collecting political condition 
information with respect to the country; add storing the political condition (political) (see at least 
column 4, lines 64-67 and column 5, lines 1-7) information in the database in analogous art of 
assessing creditworthiness of a country for the purposes of, "[f]actors that may interfere with an 
ability or willingness of a country and its economic agents to honor their financial or contractual 
obligations to non-resident owners...) (see at least column 5, lines 2-7). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the economic and risk factors of a country as taught by Bott with the integrated 
compliance monitoring method of Callahan. One of ordinary skill in the art would have been 
motivated to do so for the benefit of implementing a country risk assessment system (Bott, 
column 4, lines 64-67). 

With regard to Claims 4 and 21, Callahan teaches wherein at least one of the resources 
of the enterprise includes at least one software application employed by the enterprise 
(Application Software) (see at least paragraph 0029). 



Application/Control Number: 10/664,283 Page 8 

Art Unit: 3624 

With regard to Claims 5 and 22, Callahan teaches: wherein the step of assessing the 
business impact (risk, probability and impact (R, P, I), business organization) (see at least 
paragraphs 0066-0070 and FIG. 20) on the enterprise further comprises at least one of: 

• assessing an impact on external customers (customer's name) (see at least 
paragraph 0060) of the enterprise resulting from the degradation of the 
services from the outside service provider. 

• assessing an impact on internal customers (of other areas of the enterprise) 
(see at least paragraph 0025) of the enterprise resulting from the degradation 
of the services from the outside service provider. 

• assessing a financial impact (account balances, account numbers, and 
transactions) resulting from the degradation of the services from the outside 
service provider (see at least paragraph 0060). 

• assessing an allowable time period that the degradation of the services from 
the outside service provider can last. 

• assessing an impact on regulatory obligations (monitoring compliance with 
the GLBA [Gramm-Leach-Bliley Act (GLBA), paragraph 0002]) resulting from 
the degradation of the services from the outside service provider (see at least 
paragraph 0020). 

With regard to Claims 6 and 23, Callahan teaches assigning specific people (data 
guardian) to fulfill roles with respect to management of a relationship with the outside service 
provider, wherein the roles include at least one of information owner and information risk 
manager (see at least paragraph 0034). 

With regard to Claims 7 and 24, Callahan teaches receiving acknowledgements of the 
acceptances of the assignments from the specific people (obtains a sign-off from the approver) 
(see at least paragraph 0034). 
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With regard to Claims 8 and 25, Callahan teaches assigning alternate people to fulfill the 
roles (one or more re-viewers or "data guardians") (see at least paragraph 0026). 



With regard to Claim 9, Callahan teaches wherein the role of the information owner 
comprises at least one of: 

• obtaining from the outside service provider copies of financial and non- 
financial audit reports (audits) (see at least paragraph 0024). 

• obtaining documentation describing the outside service provider's 
procedural, physical access, logical access and business recovery controls 
(emphasizing those that have access to or who manipulate, store, transmit or 
destroy the company's consumer customer information) (see at least 
paragraph 0028). 

• requiring notification by the outside service provider of any organization, 
security-related and other changes affecting the availability, confidentiality, or 
integrity of the services provided by the outside service provider. 

• initiating the risk assessment process (The process starts at 201) (see at 
least paragraph 0026). 



With regard to Claim 10, Callahan teaches wherein the role of information risk manager 
(data guardian) comprises at least one of: 

• maintaining an updated list of outside service providers used by the 
enterprise (the database is kept updated) (see at least paragraphs 0054- 
0056). 

• allocating resources for the outside service provider assessment process. 
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With regard to Claims 1 1 and 30, Callahan teaches wherein all of the steps of the method 
are facilitated using a software application (risk assessment module), the method further 
comprising: 

• generating data input screens for accepting input from a user (screens that 
show detail of how comments are entered and risk values are established) 
(see at least paragraph 0059). 

• providing drop down boxes on the data input screens in order to facilitate 
selection of predefined information (a drop-down box, accessed from the tab, 
displays that progress) (see at least paragraph 0058). 

With regard to Claims 15 and 29, teaches providing status data on the enterprise level; 
providing status data on a line of business level; and providing status data on a department level 
(handle assessments at whatever level a business unit or the enterprise wants, executives, 
administrators, senior managers) (see at least paragraph 0032). 

With regard to Claim 16, Callahan teaches wherein the enterprise has policies and 
procedures (policies and procedures) for protecting the integrity of the provision of services 
(Identify perceivable threats, evaluate the likelihood of those threats), the method further 
comprising assessing the compliance (compliance) of the outside service provider to the policies 
and procedures (see at least paragraph 0025). 

With regard to Claim 17, Callahan teaches developing a corrective action plan if the 
outside service provider is not in compliance, the corrective action plan containing the steps 
required to bring the outside service provider into compliance (The assessor works through 
whatever corrective action needs to be taken on the assessment and re-submits it to the data 
guardian) (see at least paragraph 0057). 



Application/Control Number: 10/664,283 Page 1 1 

Art Unit: 3624 

With regard to Claim 18, Callahan teaches obtaining an acknowledgement by 
management of the enterprise of risk associated with the non-compliance of the outside service 
provider (non-compliance is indicated based on a response or group of responses) (see at least 
paragraph 0023). 

12. Claims 12-14 and 26-28 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Callahan in view of Bott as applied to Claims 1-11, 15-25, and 29-30 above, and in further view 
of Borgia et al (Borgia) (U.S. Pub. No. 2002/0129221). 

With regard to Claims 12 and 26, Callahan and Bott do not teach assessing a recovery 
plan of the outside service provider. Borgia teaches assessing a recovery plan (plan accessible to 
a crisis team for recovery) of the outside service provider (see at least paragraph 0043) in 
analogous art of tracking compliance with policies related to management of risk for the purposes 
of "...an information policy provides the requirements for disaster recover preparedness" (see at 
least paragraph 0043). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
un-interrupted business process due to a backup recovery plan (Borgia, paragraph 0043). 

With regard to Claims 13 and 27, Callahan and Bott do not teach questioning the 
developer of the plan as to whether it has required elements; and developing a corrective action 
plan to address missing required elements. Borgia teaches questioning the developer (risk 
management assessor) of the plan as to whether it has required elements (consisting of a series 
of questions that must be answered with appropriate responses to product compliance) and 
developing a corrective action plan to address missing required elements (reviews areas of non- 
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compliance and the associated risk acknowledgements to provide approval if appropriate) in 
analogous art of tracking compliance with policies related to management of risk for the purposes 
of " having an approved process or plan in place to achieve compliance" (see at least paragraphs 
0043-0057). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
increased awareness and corrective measures for missing elements or non-compliance with a 
business institution (Borgia, paragraphs 0043-0057). 

With regard to Claims 14 and 28, Callahan and Bott do not teach an alternate site for 
providing the services; and a business continuity plan for resumption of the services at the 
alternate site. Borgia teaches an alternate site for providing the services (may depend upon such 
factors as whether information is stored off site on a regular basis) and a business continuity plan 
for resumption of the services at the alternate site (Once risk is acknowledged, a plan for 
reducing the risk or bringing the project into compliance can be formulated) in analogous art of 
tracking compliance with policies related to management of risk for the purposes of "The rating for 
disaster recovery readiness may depend upon such factors as whether information is stored off 
site on a regular basis, intervals in which system backups are made, robustness of computer 
recovery systems (see at least paragraph 0017). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
survivability due to a disaster by having an alternate backup (Borgia, paragraph 0017). 
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Conclusion 

13. The following prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure: 

• Dickstein et al (U.S. Pub. No. 2002/0087373) discloses a system and method to organize 
and manage corporate capitalization and securities. 

14. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is 
reminded of the extension of time policy as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the 
date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will the statutory 
period for reply expire later than SIX MONTHS from the date of this final action. 
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Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to THOMAS MANSFIELD whose telephone number is (571)270-1904. The examiner can 
normally be reached on Monday-Thursday 8:30 am-6 pm, alt. Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Bradley Bayat can be reached on 571-272-6704. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 

IT. M.l 

Examiner, Art Unit 3624 

24 April 2009 
Thomas Mansfield 



/Bradley B Bayat/ 

Supervisory Patent Examiner, Art Unit 3624 



